This document describes how to set up an SSH tunnel automatically every time a backup is started in such a manner that it automatically closes when the backup is complete. The idea of this is to eliminate the need for VPNs or other tunnels such as stunnel. The benefit of this approach is that all configuration is available within backuppc, it relies on very common software, and provides an easy and flexible way to reach hosts even behind firewalls (assuming the firewall has an SSH server running). The drawback of this approach is that it may produce a bit more overhead than other encryption solutions.
As most use cases should be about providing encryption for rsyncd, my examples will show how to do it. However, with a few modifications the model can be adapted to allow encryption for other uses as well.
This document assumes that you have set up key-based authentication for SSH (described in the FAQ http://backuppc.sourceforge.net/faq/ssh.html).
Firewall configurations are outside the scope of this document. In short: in addition to working SSH connections you need to be able to open a connection from the firewall to port 873 on the client if these are not the same machine.
There are a few applications of this approach, combined in any way:
The script creates a tunnel to the firewall, and a port forward from it to the client. Please be aware that traffic is NOT encrypted between the firewall and the client, only between the server and the firewall.
The script creates a tunnel to a host on the same network as the client, thus encrypting rsyncd traffic. UNTESTED: sshd running on the WinXX machine as rsyncd (please report!).
If you do not want to, or do not have permissions to modify your networks' firewall rules, this approach allows you to create the tunnels only each time you connect.
First of all, we need a wrapper script to handle SSH in order to allow it to background while the backup is running. Open an editor (e.g. 'nano /path/to/script') and paste the following two lines:
#!/bin/sh ssh $@ 1>/dev/null 2>/dev/null && echo "SSH started successfully."
This script imports all arguments from your backuppc configuration, and wraps around SSH to redirect stdout and stderr. Be sure to make it executable (e.g. 'chmod 755 /path/to/script').
Now all we need is to configure the following parameters for each client in BackupPC:
In the Xfer section:
$Conf{RsyncdClientPort} = PORTIn the Backup Settings section:
$Conf{ClientNameAlias} = localhost
$Conf{DumpPreUserCmd} = /path/to/script -f -L PORT:CLIENT:873 USER@GATE sleep 20
PORT should be the same in both parameters above, but unique for each client.
PORT should be a free port above 1024 (e.g. 7001, 7002, ...).
CLIENT refers to the hostname or IP address of the computer to be backed up.
GATE refers to the hostname or IP address of the computer running SSH.
Depending on your setup, you may replace some of the above with variables within BackupPC (see the documentation).
The SSH command will be backgrounded (-f), create a tunnel (-L) and sleep to allow for the traffic to start. SSH closes the connection automatically when the remote command has completed and there is no open connection on the tunnel, whichever comes later.
Hint: if your link is slow, add '-C' to compress the SSH tunnel.
Comments and reports of success of failure are welcome.
Author and
copyright:
Version: